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Samba Administration Guide for OES Linux SP2 


About This Guide 


This guide describes the Novell implementation of Samba included in OES Linux, and includes 
instructions for performing basic configuration and setup tasks. Samba is an Open Source initiative 
and has extensive documentation on the Web, including that found at Samba.org (http:// 
www.samba.org). 


This guide includes the following sections: 


e “Overview of Samba” on page 9. 

+ “Implementing Samba” on page 11. 

e “Providing Access to Samba File Services” on page 21. 
+ “Samba User Tasks” on page 27. 

+ “Samba Caveats” on page 31. 


+ “Important Information for Using Novell Samba on OES Linux” on page 35. 


“Troubleshooting Samba Access” on page 47. 


Audience 


This guide is intended for network administrators. 


Feedback 


We want to hear your comments and suggestions about this guide and the other documentation 
included with this product. Please use the User Comments feature at the bottom of each page of the 
online documentation, or go to www.novell.com/documentation/feedback.html and enter your 
comments there. 


Documentation Updates 


For the most recent version of this and other OES guides, visit the OES Documentation Web site 
(http://www.novell.com/documentation/oes). 


Documentation Conventions 


In Novell documentation, a greater-than symbol (>) is used to separate actions within a step and 
items in a cross-reference path. 


A trademark symbol @, TM etc.) denotes a Novell trademark. An asterisk (*) denotes a third-party 
trademark. 


When a single pathname can be written with a backslash for some platforms or a forward slash for 
other platforms, the pathname is presented with a backslash. Users of platforms that require a 
forward slash, such as Linux or UNIX, should use forward slashes as required by your software. 
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Overview of Samba 


Samba is a suite of open-source tools that lets you use Microsoft file services protocols (SMB/CIFS 
and HTTP-WebDAV) with Linux and other platforms, such as Linux and Macintosh. 


This guide focuses on the Samba implementation in OES Linux. 


1.1 Samba Functionality in OES 


Samba lets Windows users access data files on an OES Linux server using familiar Windows 
interfaces, such as Windows Explorer, Network Neighborhood, and mapped drives. 


Although Samba can also provide Windows print services, OES print services are provided by 
iPrint, not Samba. 


A more general overview of the Samba file services in OES is provided in “Novell Samba” in the 
.Novell OES SP2 Planning and Implementation Guide. 


This guide focuses primarily on 
+ How Novell has packaged Samba in OES. 


e How Samba is configured to use the eDirectory™ LDAP server for user authentication. 


+ How NSS volumes and other technologies included in OES Linux impact Samba 
administrators and users. 


For more information about the Samba open-source initiative, refer to the links contained in Section 
B.7, “Web Links,” on page 46. 
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Implementing Samba 


This section provides implementation instructions and links to other relevant implementation 


sections. 


e Section 2.1, “Samba Implementation Overview,” on page 11 


+ Section 2.2, “Installing Samba,” on page 12 


e Section 2.3, “Creating and Enabling Samba Users and Groups,” on page 14 


2.1 Samba Implementation Overview 


Table 2-1 presents a brief overview of the tasks required to implement Samba on an OES Linux 


server with links to each relevant section. 


Table 2-1 Samba Implementation Overview 


Task 


1. Review caveats and other important information. 


2. Install Samba on the server. 


3. Understand Samba user requirements. 


4. Create Samba users. 


More information 


To avoid the unexpected, such as users being able 
to view the content of other users’ home directories, 
you should take a brief look at the following 
sections before you install Samba: 


« Appendix A, “Samba Caveats,” on page 31. 


e Appendix B, “Important Information for Using 
Novell Samba on OES Linux,” on page 35. 


You can install Samba on your OES Linux server as 
part of the initial server installation, or you can add 
it later. 


For more information, see Section 2.2, “Installing 
Samba,” on page 12. 


Samba users are defined both in the Windows 
environment and in eDirectory. 


For more information, see Section 2.3.1, “Samba 
Users Are Both Windows and eDirectory Users,” on 
page 15. 


Network administrators create eDirectory™ users 
with the same usernames and passwords as the 
users have on their Windows workstations. 


For more information, see Section 2.3, “Creating 
and Enabling Samba Users and Groups,” on 
page 14. 
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Task More information 


5. Create work directories for the users to access. User need rights to directories on the OES server 
where they can create and store data. 


For more information, see Section 3.1, “Creating 
Work Directories for Users,” on page 21. 


6. Make work directories available in Windows Users need to be able to browse to a workgroup, 
Explorer, Network Neighborhood, etc. server, and shares (work directories) just as they 
would on a Windows server. 


For more information, see Section 3.2, “Setting Up 
Workgroups and Shares (Access Points),” on 
page 21 


7. Understand the access options available to users For more information, see Chapter 4, “Samba User 
and communicate those options to them. Tasks,” on page 27. 


2.2 Installing Samba 


Novell Samba can be installed at the same time as Open Enterprise Server, or it can be added to an 
OES Linux server after the initial installation. 


To install Samba as part of an initial installation, see the instructions in “Installing OES Linux as a 
New Installation” in the OES Linux Installation Guide. 


To install Samba on an existing OES Linux server, do the following: 


NOTE: These instructions assume you are using the default graphical user interface for SLES 9 
(KDE) and installing from a network installation source. If you are using the ncurses (text) version 
of YaST, these instructions provide only a rough guide through the interface. If you are installing 
from CDs, insert them when prompted. 


Log in to the server as the root user. 

Start YaST by clicking the Red N > System > YaST. 

Click Network Services > Novell Samba. 

When prompted, click Continue to install the Samba RPMs. 


a fF O N = 


Type the eDirectory Admin user password in the Admin password field when prompted, then 
click Next. 


6 Change the Base context for Samba users field to an eDirectory container object that is above 
both the Samba server and Samba users in your eDirectory tree. 


The Base Context field is automatically populated with the context of your OES Linux server. 


Unless your Samba users are (or will be) located in the same container as the server or in a sub- 
context (sub-container) of it, you must change this field. 
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Figure 2-1 illustrates the problem. 


Figure 2-1 An Invalid Base Context 


TREE 
COMPANY 
IS 
SERVERS USERS 
a E 
Host HOST-W Samba User 


d @ 6 À 


O onto A 
object 


A) The sambaDomain object is created in the container specified during installation as the 
Base Context for Samba users. 


By default, the Base Context is set to the Samba server’s parent container (SERVERS). 


O The sambaDomain object must find both 
« The Samba server 


* The Samba user 


in either its parent container or down the tree in subcontainers. 


© Because the sambaDomain object can’t find the Samba user, the user can’t be enabled for 
Samba. 
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For most installations, setting the base context as illustrated in Figure 2-2 works well. 


Figure 2-2 A Valid Base Context 


TREE 
sambaDomain | 
object D COMPANY 
D Is 
SERVERS USERS 
Server Samba User 
O You should set the Base Context to a container that is a hierarchical parent of both 
the server and the user. 
Valid context for the tree structure shown are 
+ o=COMPANY 
*_ou=IS.o=- COMPANY 
B) The sambaDomain object can then find both 


¢« The Samba server 


* The Samba user 


For more information, see Section A.1, “Samba Enabling Problems and the Base Context for 
Samba Users Field,” on page 31. 


7 Click Next. 
8 Close YaST. 


Samba is now installed, but your eDirectory users must be enabled for Samba before they can use it. 


For more information, see “Creating and Enabling Samba Users and Groups” on page 14. 


2.3 Creating and Enabling Samba Users and 
Groups 


This section discusses the following topics. 


e Section 2.3.1, “Samba Users Are Both Windows and eDirectory Users,” on page 15 
e Section 2.3.2, “Creating an eDirectory Container for User Objects,” on page 15 
e Section 2.3.3, “Creating eDirectory Users,” on page 15 


e Section 2.3.4, “Creating an eDirectory Group and Assigning the Users to It,” on page 16 
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+ Section 2.3.5, “Enabling the Group and Users for Linux Access (LUM),” on page 17 
e Section 2.3.6, “Enabling Multiple eDirectory Users with smbbulkadd,” on page 17 
e Section 2.3.7, “Enabling Users for Samba Access Using iManager,” on page 19 


2.3.1 Samba Users Are Both Windows and eDirectory Users 


As stated earlier, the purpose of Samba in OES is to provide Windows file services for Windows 
client users to data directories on OES Linux servers. 


Both the Windows workstations and the OES Linux servers require authenticated access. On the 
Windows workstation, users log in using their Windows usernames and passwords. When they log 
in to the OES Linux server, they use their eDirectory usernames and passwords. Samba requires that 
these usernames and passwords match. 


In other words, the Windows usernames on your network workstations and the eDirectory 
usernames you create for Samba access must be the same and must have the same password. 


2.3.2 Creating an eDirectory Container for User Objects 


IMPORTANT: Samba users must be created in a container within the Base Context for Samba 
Users that you specified when you installed Samba (Step 6 on page 12). 


User objects that don’t meet this requirement cannot be enabled for Samba access. If you need to 
change the context, see the instructions in Section C.1, “A sambaDomain Object Error Occurs,” on 
page 47. 


1 In your browser, enter the iManager URL (http://ZP_or DNS name/nps) and log in to 
iManager as the eDirectory Admin user or equivalent. 


2 Ifthe container for your new Samba users already exists, skip to “Creating eDirectory Users” 
on page 15. 


3 To create a context in iManager for your users, click Roles and Tasks > eDirectory 
Administration > Create Object > Organizational Unit and create the (OU) object before 
proceeding. 


For more information on context requirements for the object, see the previously referenced 
Section A.1, “Samba Enabling Problems and the Base Context for Samba Users Field,” on 
page 31. 


Continue with Creating eDirectory Users. 


2.3.3 Creating eDirectory Users 


IMPORTANT: If you want to create home directories for your users as part of the user-creation 
process, you must create an NCP or an NSS volume for the directories prior to completing the 
following procedure. For more information, see “Creating NCP Volumes” in the NCP Server for 
Linux Administration Guide or Creating NSS Storage Objects in eDirectory in the Novell Storage 
Services File System Administration Guide for OES. 


1 Ifthe users you plan to enable for Samba are already defined as eDirectory users, skip to 
“Creating an eDirectory Group and Assigning the Users to It” on page 16. 
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2 IniManager, click Roles and Tasks > Users > Create User. 


TIP: To see whether a User object already exists using iManager, click the View Objects icon. 
Click the Search tab. Set the Type to User, and click Search. All currently-defined User objects 
are listed. 


3 Be sure to select the context you have identified for your Samba users (Step 3 in the previous 
section). 


4 Specify an eDirectory password, then scroll down to see more of the dialog. 


5 Do not set a simple password even though the interface indicates it is required for native 
Windows access. Enabling a user for Samba access creates a Universal Password by default, 
making it much easier for users to keep their passwords synchronized. 


6 (Conditional) You can create a home directory for the user if you have an NCP volume 
available (either created on a traditional Linux partition or existing an NSS partition on the 
server). 


For more information and some helpful tips, see “Creating and Enabling Samba Users and 
Groups” on page 14. See also, “Samba on NSS Can Be a Good Combination for Performance” 
on page 39. 


7 Type (or select if defined) any other information you want associated with the user, such as 
Title, Telephone, etc. 


8 Click OK. 
9 Click Repeat Task to create another user, or click OK to finish. 


After creating all the users, continue with Creating an eDirectory Group and Assigning the Users to 
It. 


2.3.4 Creating an eDirectory Group and Assigning the Users to 
It 


An eDirectory Group object consists of users who have common needs, such as file service needs. 
Working with Group objects makes it easier to enable or disable policies for multiple users at a time. 


You can create a new Group object just for managing Samba users, or you can use an existing Group 
object. 


1 If your eDirectory users are already members of a group you can enable for Linux access, skip 
to “Enabling the Group and Users for Linux Access (LUM)” on page 17. 

2 Click Groups > Create Group, 

3 Type a name for the group. 


4 Select a context for the group. Although Group objects are often in the same container as the 
User objects assigned to them, this is not required. 


5 Click OK. 
6 Click Modify. 


7 Select the Members drop-down option below the page title, or in Internet Explorer, click the 
Members tab. 


8 Browse [XI to the users you want to add to the group, click each User object, then click OK. 
9 Click Apply > OK. 
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Continue with Enabling the Group and Users for Linux Access (LUM). 


2.3.5 Enabling the Group and Users for Linux Access (LUM) 


1 


5 


Enable the group you just created for Linux access by clicking Linux User Management > 
Enable Groups for Linux. 


In the Enable Groups page, after selecting the group, make sure that the Linux-Enable All Users 
in These Groups option is selected, then click Next. 


Confirm that you want to enable the users for Linux by clicking Next. 


On the next page, browse LM to and select the UNIX Workstation - server name object of each 
server you want users to have Samba access to, then click OK. 


UNIX Workstation objects are created in the same context as the servers they represent. 
Click Next, then click Finish. 


If you have multiple eDirectory users to enable for Samba access, you might want to create a text 
file and use the smbbulkadd utility as explained in Enabling Multiple eDirectory Users with 
smbbulkadd (next). 


If you want to enable the users individually, skip to “Enabling Users for Samba Access Using 
iManager” on page 19. 


2.3.6 Enabling Multiple eDirectory Users with smbbulkadd 


You can enable multiple eDirectory users for Samba by running the smbbulkadd utility at the 
shell prompt. The users must already exist in eDirectory and must be enabled for Linux access as 
instructed in the previous section—Enabling the Group and Users for Linux Access (LUM)). 


To enable Linux-enabled users for Samba access do the following: 


1 


Before running smbbulkadd, you should ensure that a Samba-qualified password policy is in 
place. Otherwise, users are assigned a Samba-hash (Simple) password, which is not 
recommended. (See Section B.5.4, “About Samba Hash Passwords,” on page 45.) 


Step 2 instructs you on how to assign the default Samba policy to User object parent containers. 
However, you also have two other options: 


+ If you want to create a new policy, go to Section B.5.2, “Creating New Samba-Qualified 
Password Policies,” on page 44, then return to Step 3. 


+ If you want to modify an existing policy, go to Section B.5.3, “Modifying Existing 
Password Policies for Samba,” on page 44, then return to Step 3. 
Otherwise, continue with Step 2. 


Assign the Samba Default Password Policy (Universal Password policy) or other Samba- 
qualified policy (see “Samba Passwords” on page 43) to the immediate parent containers (OU 
objects) of the users you want to enable for Samba. 


2a Log in to iManager as the eDirectory Admin user. 
2b In Roles and Tasks, click Passwords > Password Policies. 
2c Select Samba Default Password Policy, then click Edit. 
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2d Inthe Password Policy drop-down list, click Policy Assignment, or in Internet Explorer 
click the Policy Assignment tab. 


2e Click the Object Selector [4] next to the Assign to field. 
2f Browse to and select the parent containers (OU objects) of the users you are enabling. 


For example, if your users are in an OU container object named users, you would browse 
to and select the users container. 


2g Click OK. 
2h Click Apply > OK. 


3 Using your favorite Linux text editor (such as Kwrite or Kate), create a text file that lists the 
following information for each user on a separate line. Be sure to include a blank line at the end 
of the file as indicated: 


-u username -x edir,context -p password 
(blank line-—-no text) 


where username is the eDirectory username, edir,context is the full eDirectory context of the 
user expressed using LDAP (comma-delimited) syntax, and password is the same password 
used to log in to the Windows workstation. 


IMPORTANT: Both the eDirectory password and the Universal Password will be set to the 
password you specify. 


For example, to Samba-enable three Linux-enabled eDirectory users named win1, win2, and 
win3 in users.doc.company, with the passwords pass1, pass2, and pass3, respectively, you 
could create a file named smbusers.txt inthe /tmp directory with the following contents: 


-u winl -x ou=users,ou=doc,o=company -p passl 


-u win2 -x ou=users,ou=doc,o=company -p pass2 


-u win3 -x ou=users,ou=doc,o=company -p pass3 


(blank line-no text) 


NOTE: You can also create the text file on a Macintosh or Windows workstation, but you must 
convert the file to UNIX text format using the dos2unix utility before using it with 
smbbulkadd. 


4 While logged in to the server as the root user, run the smbbul kadd command. 
To see the various command options, enter smbbulkadd at the shell prompt. 


For example, to process the smbusers.txt file mentioned in the example in Step 3, you 
would enter the following command at the shell prompt: 


smbbulkadd -a cn=admin,o=company -w adpass -f /tmp/smbusers.txt 
where adpass is the eDirectory Admin user password. 
The system reports the status for each user being enabled for Samba. 


5 Check the status reported to ensure that all users were enabled. If not, correct any errors in the 
smbusers.txt file, such as no blank line at the end, and run smbbulkadd again. 


Users that are already enabled are ignored. 


Now that your users are enabled to use Samba file services, you need to provide access to those 
services. Continue with the next section, Providing Access to Samba File Services. 
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2.3.7 Enabling Users for Samba Access Using iManager 


TIP: The following procedure enables users for Samba access one at a time. You can enable 
multiple users with the smbbulkadd utility. For more information, see Section 2.3.6, “Enabling 
Multiple eDirectory Users with smbbulkadd,” on page 17. 


1 In iManager, click Samba Management > Enable Linux User for Samba. 
2 Browse [XI to and select a User object, then click OK. 
3 Ifyou see options for replacing or keeping an existing policy on the screen, skip to Step 4. 


If you see only a statement about having users authenticate through eDirectory with no other 
text below it, then iManager has either 


+ Determined that the user has a Samba-qualified password policy already assigned. 
or 


+ Determined that no password policy is in place and therefore assigned the Samba Default 
Password Policy to the User object. 


Click OK and skip to Step 6. 
4 The following options appear below the statement about authenticating through eDirectory: 
+ Replace the existing policy with default Samba policy 
+ Keep the existing policy and use Samba hashes (not recommended) 
To understand why these options appear, continue reading. Otherwise, skip to Step 5. 


When you choose to enable a User object for Samba, iManager searches eDirectory to see 
whether the object already has a password policy in place by checking the following objects in 
order: 


¢ The User object 

+ The User object’s parent Container object 

+ The Container object at the root of the tree (usually an Organization object) 
+ The Security > Login Policy object 


When the search finds a password policy, it evaluates whether the policy is valid for Samba, 
meaning that the policy 


e Has Universal Password enabled 
+ Allows the Admin user to retrieve the password. 


The reason that the two options appear on the Enable Linux User for Samba screen is that 
iManager found an assigned password policy that is not valid for Samba. 


5 Choose to either 
e Replace the existing policy (the default Samba policy is assigned as the replacement) 
or 


e Cancel the process, put a qualifying password policy in place, and then run this process 
again 


For assistance, see “Be Sure to Use Samba-Qualified Universal Password Policies” on 
page 43. 


Do not choose to use Samba hashes unless you fully understand the issues associated with 
them. For more information, see “About Samba Hash Passwords” on page 45. 
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6 Ifyou are not prompted to enter a new password, skip to Step 7. 


If the Universal Password has not been set previously, or if the previously assigned password 
policy doesn’t allow checking whether a Universal Password is already set, you are prompted 
to specify and confirm a password for the user. 


Type and confirm the user password, matching the password you entered when creating the 
user in eDirectory, then click OK. 


Both the eDirectory password and the Universal Password are set. 


If you choose to not specify a password, you need to instruct the user to create a Universal 
Password by logging in to the network through iManager or using the Novell Client prior to 
attempting a Samba connection. Users will cannot connect until they create a Universal 
Password. 


7 Click Repeat Task and repeat from Step 2 until each Samba user is enabled. 
8 Click OK to finish. 


Now that your users are enabled to use Samba file services, you need to provide access to the 
services. Continue with the next section, Providing Access to Samba File Services. 
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Providing Access to Samba File 
Services 


Samba configurations can be as simple or as complex as you need them to be. For more information 
on the Samba configuration file included in OES, see “The smb.conf Configuration File” on 

page 35. For extensive information on using the configuration file in complex configurations, search 
for smb.conf on the Web. 


This section contains some basic guidelines and examples for setting up Samba access: 


e Section 3.1, “Creating Work Directories for Users,” on page 21 
e Section 3.2, “Setting Up Workgroups and Shares (Access Points),” on page 21 
e Section 3.3, “Aligning Samba and Novell Client Access,” on page 25 


3.1 Creating Work Directories for Users 


Before your users can access Samba services, they must have rights to one or more work directories 
on the Samba server. 


There are various kinds of work areas. They might be private, shared by a group, or publicly 
available. Home directories are usually private (see “Providing Private Home Directory Access” on 
page 22), whereas collaboration directories are shared by a group. Later in this section is an example 
for creating a shared work area and providing access to it (“Creating a Share for Group Access: A 
POSIX Example” on page 24). 


You can create home directories on NCP/NSS volumes automatically when you create users in 
eDirectory. See “Creating Home Directories Using iManager 2.5” on page 42. 


On traditional Linux volumes, you should create the directories after the users are enabled for Linux 
access (LUM) and Samba. This will ensure that the required access rights are automatically 
assigned. For more information, see “Logging In to Create Home Directories” on page 42 and 
“Using Linux User Management Commands to Create Home Directories” on page 43. 


3.2 Setting Up Workgroups and Shares (Access 
Points) 


Users need to be able to access the Samba server in My Network Places and Windows Explorer just 
as they would a Windows server. This means that the server needs to be assigned to a workgroup and 
it needs to publish Windows shares (access points) that are visible to users. 


By default, the Samba server is assigned to the workgroup workgroup and publishes certain 
preconfigured shares. However, these defaults are insufficient for many Samba installations. For 
example, the users share as it is defined by default provides access by authenticated users to all the 
home directories on a traditional Linux volume. 
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You can customize your workgroup and share configurations by modifying the /etc/samba/smb.conf 
file as explained in the following sections: 


e Section 3.2.1, “Providing Private Home Directory Access,” on page 22 


e Section 3.2.2, “Creating a New Share: An NSS/NCP Example,” on page 23 
e Section 3.2.3, “Creating a Share for Group Access: A POSIX Example,” on page 24 


e Section 3.2.4, “Restarting Samba to Implement the Changes,” on page 25 


3.2.1 Providing Private Home Directory Access 


Use the information in Table 3-1 and a text editor, such as Kate or VI, to provide access for your 
network users to only their individual Home directories. 


For additional information about the smb . conf file, see “The smb.conf Configuration File” on 


page 35. 


Table 3-1 Customizing the /etc/samba/smb.conf file for Home Directory Access Only 


Section Entry Name Description Recommended Action 
[global] workgroup = Specifies the Windows workgroup that the 1. Replace the value 
Samba server either joins (if it exists) or with a name for the 
effectively creates (if the name is new). workgroup that you 
want users to see 
The Samba installation sets the value of when they browse in 
this parameter to workgroup, which is Network 
the default setting for all Windows 2000 Neighborhood. 
and Windows XP workstations. As a result 
the “workgroup” workgroup can contain For example, change 
hundreds of workstations and servers, the entry to read 
rendering it unusable. workgroup = 
our_workgroup. 
[homes] This sets up a share named homes. 1. To learn more about 


The primary purpose of this standard 
Samba share is to expose only the home 
directories of your Samba users. 


The parameters in this section provide 
private access to home directories, which 
is the expectation of most network 
administrators. 
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the parameters in this 
and other sections, 
search the Web for 
information about the 
smb.conf file. 


Section 


Entry Name 


path = 


Description 


This parameter is not needed if user 
Home directories are contained in 

/home on the server because the path for 
this share defaults to 

/nome/%S—the Home directory of the 
logged in user. 


If you want to provide home directories on 
an NSS/NCP volume, be sure to review 
the information in Section B.3, “Home 
Directories and Samba,” on page 39. 


1. 


Recommended Action 


To provide access to 
home directories ina 
non-standard (other 
than 

/home/%S) location, 
specify the full path 
from the root of the 
file system. 


For example, if the 
server has an NSS 
volume, and the 
home directories are 
stored on it, you can 
provide Samba 
access by including a 
path statement such 
as, path = / 
media/nss/ 
HOME2/%S where 
HOME2 is the mount 
point of the NSS 
volume. 


Be sure to end the 
path with /3S. 
Otherwise, all the 
Home directories will 
be visible to each 
Samba user. 


[all other 
share 
names] 


These set up various other shares that are 
not needed for private home directory 
access. In fact, the [users] share actually 
makes all the home directories visible to 
every Samba user. 


. To preserve file 


contents for future 
reference while also 
removing these 
shares, comment out 
each line of the rest 
of the file, by 
inserting a pound 
sign (#) at the 
beginning of each 
line. 


Otherwise, delete 
these lines. 


3.2.2 Creating a New Share: An NSS/NCP Example 


You can create shares with unique names, such as volumes that users are familiar with, and provide 
access to them. 


For example, if your Samba users keep their work files in an NSS volume named PROJECTS, you 


could create a share to the /media/nss/PROJI 


1 Open the /etc/samba/smb.conf file in an editor. 


ECTS directory as follows: 


2 Create a [projects] share in the smb.conf file by inserting the following lines: 
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[projects] 
comment = Project folders 


path = /media/nss/PROJECTS 


browseable = Yes 
read only = No 
inherit acls = Yes 


3 Save the file and restart Samba as directed in Section 3.2.4, “Restarting Samba to Implement 
the Changes,” on page 25. 


4 Create folders for each project. 
For example, you could create folders named wheel and lever. 
5 Assign trustees to the projects using the ncpcon > rights command. 


For example, if you want userl to have full rights to wheel but only read and filescan rights to 
lever, and you want user2 to have full rights to lever but only read and filescan to wheel, you 
could assign the rights using the following commands: 


ncpcon 


rights add projects:wheel userl.full.edir.context al] 


rights add projects:wheel user2.full.edir.context rf 


rights add projects:lever user2.full.edir.context al] 


rights add projects:lever userl.full.edir.context rf 


Because Samba access to NSS volumes is controlled by NCP trustee rights, user] and user2 can now 
work in their respective project folders, and they can see but not change the contents of the project 
folder belonging to their coworker. 


Adjusting POSIX permissions is not required. 


NOTE: The rights command in the ncpcon utility is for working with any NCP volume, 
including volumes defined on traditional Linux file systems. 


For information about the ncpcon rights command, run ncpcon and enter help rights. 
The rights command available at the shell prompt is for working with NSS volumes only. 


For information on using the rights utility at the shell prompt, enter rights. 


3.2.3 Creating a Share for Group Access: A POSIX Example 


You can create shares for groups to use. 


For example, if you have a group of Samba users who want to collaborate regarding usability ideas, 
you could create a usability folder and grant access to it as follows: 
1 Create a folder named usability in /usr. 
2 Create a [usability] share in the smb.conf file by inserting the following lines: 
[usability] 


comment = Usability Ideas 
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path = /usr/usability 
browseable = Yes 

read only = No 
inherit acls = Yes 


3 Save the file and restart Samba as directed in Section 3.2.4, “Restarting Samba to Implement 
the Changes,” on page 25. 


4 Create a LUM-enabled group and assign the Samba users to it. For example, create a group 
called usetest. 


5 Change the group owner of the /usr/usability folder to usetest and grant the usetest 
group read, write and execute rights by entering the following at a shell prompt: 


chown -R :usetest /usr/usability 


chmod -R 775 /usr/usability 


For more information on creating group work directories, see “Providing a Group Work Area” 
in the Novell OES SP2 Planning and Implementation Guide. 


The users would then be able to collaborate with each other in the /usr/usability folder. 


3.2.4 Restarting Samba to Implement the Changes 


You must restart Samba for the changes you have made in the configuration file to take effect. 
Complete the following steps: 


1 Save the smb.conf file. 
2 Enter the following command: 


/etc/init.d/smb restart 


After preparing the Samba environment for your network users, you need to inform them about their 
access options. Continue with Chapter 4, “Samba User Tasks,” on page 27. 


3.3 Aligning Samba and Novell Client Access 


If you plan to have users access files and directories through both Samba and the Novell Client 
software, be sure to read “Aligning NCP and POSIX File Access Rights” in the Novell OES SP2 
Planning and Implementation Guide and follow the directions there. 


Providing Access to Samba File Services 


25 


26 Samba Administration Guide for OES Linux SP2 


Samba User Tasks 


When Novell Samba is properly configured on your OES Linux server, the Windows users on your 
network can access the shares you create by completing one or more of the following tasks. 


e Section 4.1, “Adding a Network Place,” on page 27 
+ Section 4.2, “Adding a Web Folder,” on page 28 
e Section 4.3, “Mapping Drives to Shares,” on page 29 


4.1 Adding a Network Place 


From a Windows 2000 or XP workstation, you can add a Network Place (formerly known as a Web 
folder) that points to a share on the OES server by doing the following: 


IMPORTANT: The directory you are linking to must already exist on the OES server and fall 
within the scope of a defined share. Also, the directory’s owner (eDirectory Samba user) must have 
the same login name and password as a user on the Windows workstation you are using. 


Share names and the server directories they point to are defined in the /etc/samba/smb.conf file on 
the OES Linux server. For more information and setting up shares, see Section 3.2, “Setting Up 
Workgroups and Shares (Access Points),” on page 21. 


1 Log in to your Windows workstation. 

2 From your desktop, access My Network Places. 
3 Double-click Add Network Place. 

4 On Windows 2000, do the following: 


4a In the Location field, type the Samba server name and share name as follows: 
\\Samba_host_name\share_name 
where Samba_host_name is the name of the Samba server (by default this is hostname-W) 
and share_name is a share name specified in the /etc/samba/smb.conf file (the most 
common share name is “homes”. 


For example, to access the homes share on a server with the host name myserver, you 
would type \\myserver-w\homes in the Location field. 


4b Click Next. 


4c (Optional) modify the name of the Network Place to a more intuitive name, such as My 
Home Directory. 


4d Click Finish. 
The folder opens, ready for access. 
5 On Windows XP, do the following: 
5a In the Add Network Wizard dialog box, click Next. 
5b Select Choose another network location, then click Next. 


5c In the /nternet or network address field, type either the IP address of the server or the 
Samba server name followed by the share name as follows: 
\\Samba_host_or_IP\share_name 
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where Samba_host_or_IP is the IP address or name of the Samba server (by default this is 
hostname-W) and share_name is a share name specified in the /etc/samba/smb.conf file 
(the most common share name is “homes”). 


Share names and the server directories they point to are defined in the /etc/samba/ 
smb.conf file on the OES Linux server. For more information and setting up shares, see 
Section 3.2, “Setting Up Workgroups and Shares (Access Points),” on page 21. 


5d Click Next. 


5e (Optional) modify the name of the Network Place to a more intuitive name, such as My 
Home Directory. 


5f Click Next. 
5g Click Finish. 


The folder opens, ready for access. 


Network places are pervasive and are automatically available in Network Neighborhood each time 
the user logs in. 


4.2 Adding a Web Folder 


Using the Internet Explorer browser, you can add a Web folder that points to a share on the OES 
server by doing the following: 


IMPORTANT: The directory you are linking to must already exist on the OES server and fall 
within the scope of a defined share. Also, the directory’s owner (eDirectory Samba user) must have 
the same login name and password as a user on the Windows workstation you are using. 


Share names and the server directories they point to are defined in the /etc/samba/smb.conf file on 
the OES Linux server. For more information and setting up shares, see Section 3.2, “Setting Up 
Workgroups and Shares (Access Points),” on page 21. 


Log in to your Windows workstation. 
Open Internet Explorer. 

Click File > Open. 

Click Open as Web Folder. 


In the Open field, type the Samba server name and share name as follows: 
\\DNS_Name_or_IP\share_name 

where DNS _Name_or_IP is the IP address or DNS name of the Samba server and share name 
is a share name specified in the /etc/samba/smb.conf file (the most common share name is 
“homes”). 


a Fk © N = 


For example, to access the homes share on a server with the host name myserver, you 
would type \\myserver.full.dns.name\homes in the Location field. 


6 Click OK. 


7 To make the folder automatically available, click Favorites > Add to Favorites > OK. 
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4.3 Mapping Drives to Shares 


From a Windows 2000 or XP workstation, you can map a network drive letter that points to a share 
on the OES server by doing the following: 


IMPORTANT: The directory you are linking to must already exist on the OES server, and the 
directory’s owner (eDirectory Samba user) must have the same login name and password as the 
logged in user on the Windows workstation you are using. 


1 Log in to your Windows workstation. 
2 From your desktop, access My Computer > Tools > Map Network Drive. 
3 From the Drive drop-down menu, select an unused drive letter. 


4 Inthe Folder field, type the Samba server name and share name as follows: 
\\Samba_host_name\share_name 
where Samba_host_name is the name of the Samba server (by default this is hostname-W) and 
share_name is a share name specified in the /etc/samba/smb.conf file (the most common share 
name is “homes”). 


For example, to access the homes share on a server with the host name myserver, you 
would type \\myserver-w\homes in the Folder field. 


5 Click Finish. 


The folder opens, ready for access. 
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Samba Caveats 


This section explains the following known caveats for the Novell Samba implementation in OES 
Linux. 


e Section A.1, “Samba Enabling Problems and the Base Context for Samba Users Field,” on 
page 31 


Section A.2, “File Trustee Rights Changes Do Not Affect Current Samba Connections,” on 
page 31 


Section A.3, “LDAP Search Delays and Samba,” on page 32 
Section A.4, “The Samba Proxy User Password Must Be Managed Separately,” on page 32 
Section A.5, “Windows XP SP2 Wrongly Reports File Deletion,” on page 32 


Section A.6, “Home Directory Creation Is Not Automatic,” on page 33 


A.1 Samba Enabling Problems and the Base 
Context for Samba Users Field 


When you install Samba services on OES Linux, the default value of the Base Context for Samba 
Users field is the eDirectory context where the server is installed. 


If your User objects reside in the same context as the server or in a sub-context of the server’s parent 
container, the objects can be enabled for Samba. However, many organizations choose to place User 
objects in a sibling container to the one where servers are located or in some other context separate 
from the server context. 


To ensure that your users can be Samba enabled, you must change the Base Context for Samba 
Users field at install time to a context that includes (either directly or as a sub-context) both the 
Samba users and the servers they will access. 


For specific instructions and an illustration of setting the base context, see Step 6 on page 12. 


If you have discovered this requirement after installing Samba and need to change the context, see 
Section C.1, “A sambaDomain Object Error Occurs,” on page 47. 


A.2 File Trustee Rights Changes Do Not Affect 
Current Samba Connections 


NetWare administrators know that NetWare file services handle file trustee rights changes 
dynamically. If you grant or revoke access privileges, the impact on connected users is immediate. 
This behavior is also reflected in the NFAP (Native File Access Protocols) product that provides 
Windows (CIFS) access to NetWare servers. 


On the other hand, file trustee rights for Windows file services are set when the Windows (CIFS) 
connections are established and are unaffected by subsequent changes. 


Because Samba provides Windows file services on Linux servers, the standard Windows behavior is 
preserved. Therefore, changes to trustee rights (granting or revoking) have no effect while a session 
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is in progress. For example, if you revoke the Write right for a Samba user connected to an NSS file 
system, the change you make will not take effect until the user disconnects and logs in again. 


Being aware of this difference between the way NetWare and Windows handle rights changes is 
especially important to NetWare administrators who are used to working with NFAP on NetWare 
and plan to convert their file services to Samba on OES Linux. 


A.3 LDAP Search Delays and Samba 


When the number of objects in a tree is very large (greater than 100,000), users can experience 
substantial LDAP authentication delays when accessing Samba on an OES server. 


To reduce the search time, you have the following options: 


+ Set the object cache high enough that all the objects being searched are cached in memory. For 
more information, see “Tuning LDAP for eDirectory” in the Novell eDirectory 8.7.3 
Administration Guide. 


e Index the objectClass attribute (the attribute that is compared during the LDAP search). For 
more information, see “Index Manager” in the Novell eDirectory 8.7.3 Administration Guide. 


e Add an eDirectory replica to the server where the search is taking place. For more information, 
see “Adding a Replica” in the Novell eDirectory 8.7.3 Administration Guide. 


A.4 The Samba Proxy User Password Must Be 
Managed Separately 


When you install Novell Samba, you are asked to specify a Samba proxy user for LDAP 
authentication through eDirectory. 


By default, the eDirectory Admin user is designated as the Samba proxy user. 


If the Admin user’s password is changed in eDirectory, you must also change the proxy password on 
the OES Linux server by entering the following at a shell prompt: 


smbpasswd -w new password 


where new_password is the newly specified password for the Admin user in eDirectory. 


A.5 Windows XP SP2 Wrongly Reports File 
Deletion 


Windows XP SP2 wrongly reports file deletions to Samba users under specific conditions as 
follows: 


The files are on an NSS volume. 


. Users don’t have the Erase right to the files. 


1. 

2 

3. Users try to delete the files. 

4. The system reports that the files were deleted. 
5 


. Refreshing the window shows that the files still exist. 


Windows XP SP1 and earlier correctly reports that the files cannot be deleted. 
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A.6 Home Directory Creation Is Not Automatic 


Unlike many Samba implementations, the Samba configuration in OES does not support automatic 
creation of home directories. For more information, see Section B.4, “Methods for Creating Home 
Directories and Enabling Access to them for Samba Users,” on page 41. 
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Important Information for Using 
Novell Samba on OES Linux 


This section provides information about the following topics: 


e Section B.1, “Component Information,” on page 35 


e Section B.2, “Samba and NSS Volumes,” on page 38 


Section B.3, “Home Directories and Samba,” on page 39 


Section B.4, “Methods for Creating Home Directories and Enabling Access to them for Samba 
Users,” on page 41 


Section B.5, “Samba Passwords,” on page 43 


Section B.6, “Security Implications,” on page 45 
Section B.7, “Web Links,” on page 46 


B.1 Component Information 


The Samba distribution included with OES consists of the RPMs and configuration files outlined in 
this section. 


e Section B.1.1, “Samba RPM,” on page 35 
e Section B.1.2, “The smb.conf Configuration File,” on page 35 
e Section B.1.3, “The Idap.conf Configuration File,” on page 37 


B.1.1 Samba RPM 


OES includes a Novell customized version of the Samba package (novel 1l-samba-3.0....). 
In compliance with Samba standards, we have added the switches -with-ldapsam and -with-ssl to 


provide secure LDAP authentication support for Samba users. 


B.1.2 The smb.conf Configuration File 


In compliance with Linux Standards Base (LSB) requirements, we have placed the Samba 
configuration file (smb.conf) in the /etc/samba directory on the OES server. 


The Novell implementation of Samba modifies that the smb.conf file that ships with SLES 9 as 
explained in Table B-1. 
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Table B-1 Modified/Added Entries in the smb.conf File 


Section 


[global] 


Entry Name 


workgroup = 


Description 


Specifies the Windows workgroup that the 
Samba server either joins (if it exists) or 
effectively creates (if the name is new). 


Change or Default Setting 
Information 


This is modified from TUX- 
NET to workgroup 


netbios name = 


Sets the NetBIOS name that a Samba 
server is known and advertised as. If 
Samba is installed for the first time by 
OES, Novell appends -W to the hostname 
for this entry. This is necessary to prevent 
a conflict with NCP on Linux, which uses 
the hostname. 


This entry is added. 


Default: netbios name = 
%h-W 


%h is the server’s host 
name. 


passdb backend = 


Specifies that Samba account information 
is stored in eDirectory LDAP database. 


This entry is added. 


Do not modify this line. 


Idap admin dn = 


Specifies the Distinguished Name (DN) 
that Samba uses for contacting the 
eDirectory LDAP server to retrieve user 
account information for users requesting 
access to Samba shares. 


The password for the DN specified at 
install time is encrypted by the installation 
process and stored in the SecretStore 
(secrets.tdb) on the OES server. 


If the DN name is changed in eDirectory, 
the name specified in this file must also be 
changed. 


If the DN password is changed, the new 
password must be stored using the 
smbpasswd command. For more 
information, see Section A.4, “The Samba 
Proxy User Password Must Be Managed 
Separately,” on page 32. 


This entry is added. 


Example: Idap admin dn = 
cn=admin,o=novell 


Idap suffix = 


Specifies the context that is used to 
search for the server and user objects in 
eDirectory. 


A search from this context down through 
the tree must find both the server and 
Samba users. 


You cannot correct problems with this 
context by simply modifying this field with 
a text editor. Instead you must follow the 
instructions in Section C.1, “A 
sambaDomain Object Error Occurs,” on 
page 47. 
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This entry is added. 


The default setting is 
specified during install time 
as the Base context for 
Samba users. 


Section 


Entry Name 


Idap idmap suffix = 


Description 


Specifies the location of 
sambaldmapEntry objects. 


Change or Default Setting 
Information 


This entry is added. 


The default setting is the O 
parent container. For 
example, o=novell. 


Idap machine suffix = 


Specifies where machine trust accounts 
are stored. 


This entry is added. 


The default setting is the O 
parent container. For 
example, o=novell. 


Idap passwd sync = 


Specifies that password encoding support 
is on or off. 


This entry is added. 


Default: Idap password 
sync = on 


security = 


Specifies the security mode. 
The value must be set to user. 


For more information, see samba.org 
(http:/Awww.samba.org) on the Web. 


This entry is added. 


Default (required): security 
= user 


encrypt passwords = 


Specifies that passwords received from 
Windows clients are encrypted. 


This value must be set to yes. 


For more information, see samba.org 
(http:/Awww.samba.org) on the Web. 


This entry is added. 


Default (required): encrypt 
passwords = yes 


A full explanation of the smb.conf file is well beyond the scope of this guide. Table B-2 briefly 
explains the purpose of other sections found in the file. For detailed explanations, search for 
smb.conf on the Web. 


Table B-2 A Brief Summary of the Other Entries in the smb.conf File 


Section Description 

[profiles] This section sets up a network profiles service for playing media files through 
Samba. 

[users] This section sets up a share that displays all the home directories in /home. 

[groups] This section sets up a share that displays any directories contained in /home/ 
groups. 

[printers] These sections set up a share for Samba printing, which is not supported on OES 
Linux. iPrint is the OES printing solution. 

[print$] 


B.1.3 The Idap.conf Configuration File 


Samba on Linux uses the OpenLDAP client libraries Libldap.soandlibldap r.so. 
ldap.conf is the configuration file for OpenLDAP. 
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In compliance with Linux Standards Base (LSB) requirements, we have placed the ldap. conf file 
in the /etc/openldap directory on the OES server. 


If you install the OES server into an existing tree, you must specify a trusted root certificate during 
OES installation if you want to use SSL. The 1dap . conf file on your OES server then has the 
following certificate-related entries: 


e TLS_CACERT /etc/ssl/certname.cert 
e TLS REQCERT demand 


If you are installing a new directory tree, the 1dap.conf file has the following entry: 
e TLS_REQCERT allow 


For more information on the ldap. conf file, see the Idap.conf man page. 


B.2 Samba and NSS Volumes 


Be aware of the following when using Samba to access NSS volumes. 
e Section B.2.1, “Access Requires Additional Setup,” on page 38 
e Section B.2.2, “Mounting NSS Volumes for Use with Samba,” on page 38 


e Section B.2.3, “Samba on NSS Can Be a Good Combination for Performance,” on page 39 


B.2.1 Access Requires Additional Setup 


Samba-enabled users cannot access an NSS volume using Samba until they are granted NSS trustee 
rights to the volume. (Rights are automatically granted for home directories on NSS volumes that 
are created in iManager.) 


You can grant NSS trustee rights on a per-object basis using either the ncpcon > rights command 
at the OES Linux server shell prompt or by using an NCP client (provided the NCP server is running 
at the time). 


If you are granting the same rights to multiple Samba users, it is more efficient to assign those users 
to a LUM-enabled group and then grant trustee rights to the group. Keep in mind that each group 
member has the same rights in this case. 


For more information on granting NSS trustee rights, see “Using the Novell Client to Manage 
Trustees and Trustee Rights” and “Trustee Rights Utility for Linux” in the File Systems 
Management Guide for OES. 


B.2.2 Mounting NSS Volumes for Use with Samba 


Because Windows is case insensitive, we strongly recommend that you mount NSS volumes as case 
insensitive when they are accessed through Samba. 


When mounting an NSS volume for use with Samba: 


1 IniManager > the Storage plug-in > Volumes > Properties, set the Lookup Namespace option to 
Long and remount the volume. 
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2 On the OES Linux server, open the /etc/samba/smb.conf file in a text editor and check 
for a case sensitive parameter in [global] section of the file. If the parameter exists (normally it 
does not) and if it is set to yes, change the setting to no. 


B.2.3 Samba on NSS Can Be a Good Combination for 


Performance 
If you will have more than 2,000 files and folders accessed through Samba, you should consider 
using NSS as the underlying file system. Above that number, Samba on NSS outperforms Samba on 


traditional Linux volumes, such as EXT3 or Reiser. As you add more files and directories above the 
2,000 mark, the performance advantage increases. 


B.3 Home Directories and Samba 


NOTE: The information discussed in this section generally applies to all data directories and files. 
This discussion centers on home directories because they are a common data storage location in 
many network installations. 


There are three basic locations for user home directories: 


¢ Traditional Linux volumes (/home) 
¢ Traditional Linux volumes that are also configured as NCP volumes 


+ NSS volumes that are also NCP volumes by definition 


Table B-3 summarizes the Samba accessibility to home directories for each volume type: 
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Table B-3 Home Directory Accessibility by Volume Type 


Volume Type a i Access Control Initial Accessibility Notes and Caveats 
ethod 
Traditional Login as the POSIX file e Visible - all home To make the contents of 
Linux user toa attributes directories can be home (and other) 
PAM-enabled seen by an directories private (non- 
service authenticated user. browseable) change the 
(Samba is not « Browseable- thë file attributes (chmod or 
PAM-enabled. contentor all home Konqueror) so that only the 
He directories is owner has rights. 
ne browseable. For instructions, see 
doesn’t create e Modifiable - owners “Providing a Private Work 
home can modify the content Directory” in the Novell 
directories, as of their own home OES SP2 Planning and 
explained in directories. Group and Implementation Guide. 
tion A.6, Other users can’t , 
ebi : modify the content of Alternatively, you can 
Directory directories they don’t modify the smb.conf file as 
Creation fe own. explained in Section eels 
Not “Providing Private Home 
mene” Directory Access,” on 
: page 22. Following these 
anpage <2.) instructions hides the home 
directories in Samba 
because users see only 
their home directory 
contents and not the home 
directory itself. 
NCP on iManager at POSIX file e Visible - all home To make these home 
Traditional user-creation attributes directories can be directories browseable and 
Linux time seen by an modifiable for the directory 
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authenticated user. 


e Browseable - initially 
no users can see 
directory contents. 
This is because the 
users are not the 
directory owners from 
a POSIX perspective. 
See the additional 
explanation in the next 
column. 


e Modifiable - initially 
the user can’t modify 
directory contents 
because the user is 
not the directory 
owner from a POSIX 
perspective. See the 
additional explanation 
in the next column. 


owner, you must use 
chown or Konqueror and 
change the POSIX owner 
from the eDirectory Admin 
user to the actual user. 


For instructions, see “NCP 
Volumes on Traditional 
Linux File Systems” on 
page 42. 


After changing POSIX 
directory ownership, other 
users are still not able to 
browse or modify directory 
contents because 
iManager assigns no 
POSIX Group or Other file 
attributes when it creates 
the directory. 


Volume Type 


Creation 


Access Control 


Initial Accessibility 


Notes and Caveats 


Method 
Log in as the POSIX file e Visible - all home To make the contents of 
user to a attributes directories can be these home directories 
PAM-enabled seen by an private (non-browseable) 
service authenticated user. change the file attributes 
(Samba is not * Browseable =the (chmod or Konqueror) so 
PAM-enabled. contentof all home that only the owner has 
Ms directories is rights. 
Phas > browseable. For more information, see 
doesn't create + Modifiable - owners “Providing a Private Work 
home can modify the content Directory” in the Novell 
directories, as of their own home OES SP2 Planning and 
explained in directories. Group and /mplementation Guide 
Section A.6, Other users can't 
“Home modify the content of 
Directory directories they don’t 
Creation Is own. 
Not 
Automatic,” 
on page 33. 

NSS iManager at NCP trustee e Visible - only the NSS displays its directory 


user-creation 
time 


assignments 
in combination 
with NSS 
directory and 
file attributes 


user’s home directory 


e Browseable - only the 
user’s home directory 


e Modifiable - only the 
user’s home directory 


and file attributes as 
POSIX permissions for 
compatibility with services 
that require them, such as 
Samba. However, the 
underlying access for 
Samba users is controlled 
by NSS. 


For more information, see 
“Understanding File 
System Access Control for 
NSS and NetWare 
Traditional File Systems” in 
the File Systems 
Management Guide for 
OES. 


B.4 Methods for Creating Home Directories and 
Enabling Access to them for Samba Users 


If you have previously administered Samba servers outside of an OES context, you might expect 
that user home directories are automatically created the first time a user logs in to Samba. 


This is not the case in OES because Samba is not a PAM-enabled service. (See “Services in OES 
Linux That Require Linux-Enabled Access” in the Novell OES SP2 Planning and Implementation 
Guide.) Therefore, if you plan to provide Samba users with home directories, you must determine an 
alternate method for creating them. 


The following sections briefly explain your options for creating user home directories. 


+ Section B.4.1, “Creating Home Directories Using iManager 2.5,” on page 42 
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e Section B.4.2, “Logging In to Create Home Directories,” on page 42 


e Section B.4.3, “Using Linux User Management Commands to Create Home Directories,” on 
page 43 


B.4.1 Creating Home Directories Using iManager 2.5 


If you plan to create home directories for eDirectory users on an NSS/NCP volume (the volume 
must exist and be mounted), and you have the NCP server installed and running (the OES default), 
you can create user home directories in iManager at the same time you create the user objects. 
(iManager cannot create home directories on traditional Linux volumes that are not also NCP 
volumes.) 


There is one important caveat: directories created using this method are owned from a POSIX 
perspective by the eDirectory user who creates the user. The implications of this caveat are 
explained in the following sections. 


NSS Volumes 


POSIX ownership has no bearing on Samba access to NSS volumes because NSS controls access 
based on the Novell trustee model. 


However, POSIX ownership is required for tracking User Quotas. Any files that are created in an 
NSS home directory before a user is enabled for Linux access are not counted against the user’s 
quota until POSIX ownership is corrected. For more information, see “Setting Quotas for Users 
Who Were Not Initially Enabled for Linux Access (Linux)” in the Novell Storage Services File 
System Administration Guide for OES. 


NCP Volumes on Traditional Linux File Systems 


POSIX ownership is an issue for Samba access when the NCP volume is defined on a traditional 
Linux file system. Because access to traditional Linux file systems is controlled through POSIX, 
users cannot access their own home directories until ownership is changed. 


You can reassign directory ownership after the user is enabled for Samba by using the chown 
command. 


For example, to change ownership of the /home/user! directory from the Admin user to userl, you 
would enter 


chown -R userl: /home/userl. 


The -R option applies the operation recursively to all subdirectories and files. 


B.4.2 Logging In to Create Home Directories 


Home directories are automatically created and appropriate file access rights are automatically 
assigned the first time an eDirectory user who is enabled for Linux access (LUM) logs in to the OES 
server using PAM-enabled services, such as login, ssh, ftp, or a telnet connection. For more 
information, see “Services in OES Linux That Require Linux-Enabled Access” in the Novell OES 
SP2 Planning and Implementation Guide. 
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The simplest approach for many network administrators is to log in to the OES Linux server as the 
root user and use the su command at the shell prompt to create a home directory for each user, as 
follows: 


su username 
exit 


where username is the login name of the user for which the home directory is being created. 


Alternatively, if your users access the OES server using a PAM-enabled service, you could have 
them log in to the server to create their own home directories. 


B.4.3 Using Linux User Management Commands to Create 
Home Directories 


You can use either the namuseradd or namusermod command with the -m option to create 
home directories as documented in the Novell Linux User Management Technology Guide. 


B.5 Samba Passwords 


Before creating or enabling eDirectory users for Samba access, it is important to understand certain 
requirements regarding Samba passwords. 


The preferred method for Samba authentication in OES involves the use of a Universal Password 
(UP) policy in eDirectory. The primary reason for this is that it eliminates the need for password 
synchronization when users change their passwords in eDirectory. 


The first time you install Samba on an OES Linux server in a given eDirectory tree, the install 
creates a Universal Password (UP) policy in the tree named Samba Default Password Policy. The 
policy is located in eDirectory > Security > Password Policies. 


Alternatively, you can choose the Samba hash method of authentication, but this is not 
recommended. For more information, see Section B.5.4, “About Samba Hash Passwords,” on 
page 45. 


The following sections explain the issues associated with Universal Password and Samba hash 
passwords. 
e Section B.5.1, “Be Sure to Use Samba-Qualified Universal Password Policies,” on page 43 
e Section B.5.2, “Creating New Samba-Qualified Password Policies,” on page 44 
e Section B.5.3, “Modifying Existing Password Policies for Samba,” on page 44 
e Section B.5.4, “About Samba Hash Passwords,” on page 45 


B.5.1 Be Sure to Use Samba-Qualified Universal Password 
Policies 


For a Password Policy to qualify for use by Samba users, the following configuration options must 
be enabled on the iManager > Roles and Tasks > Passwords > Password Policies > the Universal 
Password tabbed page: 


+ Enable Universal Password 
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+ Allow Admin to Retrieve Password 


B.5.2 Creating New Samba-Qualified Password Policies 


Log in to iManager, then click Roles and Tasks > Passwords > Password Policies > New. 
Name the policy, then click Next. 

At the Would you like to enable Universal Password? prompt, click Yes. 

Click View Options. 


Select the Allow Admin to Retrieve Password option. 


OO Où BR WN = 


Continue creating the policy and in Step 7 of 8 assign it as follows: 
If you are using the smbbulkadd utility to enable Samba users you must assign it to either 
e Each User object being enabled 
or 
+ The Organizational Unit parents of your User objects 
If you are using iManager to enable Samba Users, assign the policy to either 
e Each User object being enabled 
¢ The Organization Unit Parents of your User objects 
or 
+ The Organization object at the root of the tree above the User objects. 
7 Click Next. 
8 Click Finish. 
9 Click Close. 


B.5.3 Modifying Existing Password Policies for Samba 


Log in to iManager, then click Roles and Tasks > Passwords > Password Policies 
Select a policy, then click Edit. 


Make whatever changes you need. 


kh O N = 


In the drop-down list, click Configuration Options, or in Internet Explorer click the Universal 
Password tab, then click the Configuration Options link. 


5 Make sure the Enable Universal Password and the Allow Admin to Retrieve Password options 
are both selected. 


6 Inthe drop-down list, click Policy Assignment, or in Internet Explorer click the Policy 
Assignment tab. 


7 If you are using the smbbulkadd utility to enable Samba users you must assign it to either 
+ Each User object being enabled 
or 
+ The Organizational Unit parents of your User objects 
If you are using iManager to enable Samba Users, assign the policy to either 


+ Each User object being enabled 


44 Samba Administration Guide for OES Linux SP2 


e The Organization Unit Parents of your User objects 
or 
+ The Organization object at the root of the tree above the User objects. 
8 Click Apply. 
9 Click OK. 


B.5.4 About Samba Hash Passwords 


Passwords can be stored as a Samba hash in eDirectory, but this is not recommended because Samba 
hash passwords are less secure and users must remember to synchronize their password with each 
password change. 


When you create a new Samba user or enable an existing user for Samba, if the user has a 
nonqualifying password policy associated with it, you get a message encouraging you to replace the 
policy with the default Samba policy. The alternative is to use the Samba hash password and the 
existing nonqualifying password policy. 


NOTE: The choice to use a Samba hash is presented only when the user has a nonqualifying 
password policy assigned. And the recommended course of action when this occurs is to either 
modify the nonqualifying password policy to be Samba compliant, or assign a Samba-compliant 
policy rather than choosing to use the Samba hash. 


If you choose to use the Samba hash password instead of a qualifying Samba password policy, and 
users change their eDirectory password, they must manually synchronize their eDirectory and 
Samba Hash (simple) passwords. For example, in Virtual Office, they must ensure that the 
Synchronize Samba Password option is selected (checked). Otherwise, their passwords are not 
synchronized and they cannot access Samba. 


B.6 Security Implications 


If you plan to implement Samba on your network, be aware of the following security implications: 


e Section B.6.1, “Universal Password,” on page 45 


+ Section B.6.2, “Samba Access Vs. Novell Client Access,” on page 46 


B.6.1 Universal Password 


By default, Samba uses Novell Universal Password (UP) for authentication. Changing the default 
UP setting is not recommended because the alternative Samba hash method is not as secure. 


Before using Samba, you might want to investigate the implications for using Universal Password as 
documented in “Issues to Watch For” in the Novell Modular Authentication Services (NMAS) 2.4 
Administration Guide. 


Alternatively, you might choose to provide Windows users with file services using Novell Client 
software, Novell iFolder® 2. 1x, or NetStorage. For more information, see “File Services” in the 
Novell OES SP2 Planning and Implementation Guide. 


For more information on Samba password options, see Section B.5, “Samba Passwords,” on 
page 43. 
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B.6.2 Samba Access Vs. Novell Client Access 


Samba uses the POSIX/Linux security model. Novell Client software and other NCP access 
methods use the NetWare security model. 


Providing similar access priviledges for both Samba users and Novell Client (NCP) users, requires 
additional steps as explained in “Aligning NCP and POSIX File Access Rights” in the Novell OES 
SP2 Planning and Implementation Guide. 


B.7 Web Links 


For more information about the origin, purposes, and functionality of Samba, refer to the following 
links: 


www.samba.org (http://www.samba.org) 


www.openldap.org\samba-2.2.8\docs\htmldocs\Samba-LDAP-HOWTO.html (http:// 
www.openldap.org) 


www.unav.es/cti/Idap-smb/Idap-smb-2 2-howto.html (http://www.unav.es/cti/Idap-smb/Idap- 
smb-2 2-howto.html) 


www.google.com/grphp (http:/www.google.com/grphp) 
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Troubleshooting Samba Access 


The following sections should help you solve Samba access problems. If you don’t find the answers 
you need, please use User Comments feature in the online documentation to let us know what is 
missing. 


This section currently covers the following issues: 


e Section C.1, “A sambaDomain Object Error Occurs,” on page 47 

+ Section C.2, “I Can’t Enable eDirectory Users for Samba,” on page 48 

e Section C.3, “Users Can See Everyone’s Home Directories,” on page 48 
e Section C.4, “Users Can’t Log In to the Samba Server,” on page 48 

e Section C.5, “Users Can’t See Their Home Directories,” on page 48 


e Section C.6, “Users Get Errors When Trying to Access Their Directories,” on page 49 


C.1 A sambaDomain Object Error Occurs 


This happens when the sambaDomain object in eDirectory cannot find both the server object and the 
user object. The caveat is explained in “Base Context for Samba Users Field Must Usually Be 
Changed” in the Novell OES SP2 Planning and Implementation Guide. 


If you have installed Samba and need to modify the Base Context for Samba Users setting on your 
server, do the following: 

1 Log into iManager as the Admin user. 

2 In Roles and Tasks, click eDirectory Administration > Delete Object. 

3 Browse EX! to and select the sambaDomain object. 


The object is located in the Base Context for Samba Users that was specified when Novell 
Samba was installed and is named HOSTNAME-W, where HOSTNAME is the host name of 
your OES Linux server. 


4 Click OK to delete the object. 
5 Ina Linux text editor, open the /etc/samba/smb.conf file. 


6 Remove the section from the file that was added by the Novell Samba install. 


The section starts with # BEGIN - Entries made by OES install and ends with 
END - Entries made by OES install, and it is right before the [homes] share 
definition if you have not manually modified the file. 


If you have run the install for Novell Samba multiple times, there is a section for each time. 
You must remove all the sections. 


7 Save the file. 
8 Shut down Samba by entering the following at a shell prompt: 
/etc/init.d/smb stop 
9 In YaST, run the Novell Samba configuration by clicking Network Services > Novell Samba. 


10 When the message displays informing you that Samba has already been configured, click Yes. 
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11 Enter the eDirectory Admin user password, then click Next. 


12 Modify the Base Context for Samba users field to a context in the tree that is above both the 
server and the users you want to enable for Samba access. 


13 Click Next. 
14 Close YaST. 


C.2 | Can’t Enable eDirectory Users for Samba 


The most common cause for this problem is explained in “Base Context for Samba Users Field Must 
Usually Be Changed” in the Novell OES SP2 Planning and Implementation Guide. 


C.3 Users Can See Everyone’s Home Directories 


The Linux (POSIX) file security model is public by default, whereas the traditional Novell model is 
private. For a comparison of the two models, see “Comparing the Linux and the NetWare Core 
Protocol (NCP) File Security Models” in the Novell OES SP2 Planning and Implementation Guide. 


You can adjust the default permissions on Linux to more closely match the traditional Novell model 
by following the instructions in “Aligning NCP and POSIX File Access Rights” in the Novell OES 
SP2 Planning and Implementation Guide. 


C.4 Users Can’t Log In to the Samba Server 


To access Samba, users must meet the requirements found in “Samba Users Are Both Windows and 
eDirectory Users” on page 15. 


The Samba Proxy User password stored on the OES Linux Server must match the corresponding 
user’s password in eDirectory. For more information, see Section A.4, “The Samba Proxy User 
Password Must Be Managed Separately,” on page 32. 


C.5 Users Can’t See Their Home Directories 


Check for the following: 


C.5.1 Does the Directory Exist? 


The Samba implementation in OES doesn’t automatically create home directories when users log in 
to Samba. For more information, see Section B.4, “Methods for Creating Home Directories and 
Enabling Access to them for Samba Users,” on page 41. 


C.5.2 Does the Directory exist in the Share Path? 


By default, the [homes] share points to individual home directories in /home at the root of the file 
system. If the home directories were created in another location, for example through iManager on 
an NCP volume that doesn’t point to /home, you need to either include a path statement in the 
[homes] share definition that points to the correct location, or create another share that users can 
access. For more information, see Section 3.1, “Creating Work Directories for Users,” on page 21, 
Section 3.2, “Setting Up Workgroups and Shares (Access Points),” on page 21. 
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C.6 Users Get Errors When Trying to Access 
Their Directories 


The most common cause for this problem involves home directories that were created in iManager 
on NCP volumes that point to traditional Linux file systems. 


Home directories created in iManager are owned (from a POSIX standpoint) by the Admin user who 
creates the user object. If a Samba share points to a traditional Linux file system, then the Samba 
user must have POSIX access rights to access directory contents. For more information, see “NCP 
Volumes on Traditional Linux File Systems” on page 42. 
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